Meanwhile in Security

Links:

• Cloud Security Basics CIOs and CTOs Should Know: https://www.informationweek.com/cloud/cloud-security-basics-cios-and-ctos-should-know/a/d-id/1341578?
• Spring 2021 PCI DSS report now available with nine services added in scope: https://aws.amazon.com/blogs/security/spring-2021-pci-dss-report-now-available-with-nine-services-added-in-scope/
• Top 5 Benefits of Cloud Infrastructure Security: https://www.kratikal.com/blog/top-5-benefits-of-cloud-infrastructure-security/
• The three most important AWS WAF rate-based rules: https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/
• Researchers Call for ‘CVE’ Approach for Cloud Vulnerabilities: https://www.darkreading.com/cloud/researchers-call-for-cve-approach-for-cloud-vulnerabilities
• Managed Private Cloud: It’s all About Simplification: https://www.computerworld.com/article/3623118/managed-private-cloud-its-all-about-simplification.html
• 100 percent of companies experience public cloud security incidents: https://betanews.com/2021/08/04/100-percent-public-cloud-security-incidents/
• Why cloud security is the key to unlocking value from hybrid working: https://www.welivesecurity.com/2021/08/05/why-cloud-security-key-unlocking-value-hybrid-working/
• Organizations Still Struggle to Hire & Retain Infosec Employees: Report: https://www.darkreading.com/careers-and-people/organizations-still-struggle-to-hire-retain-infosec-employees-report
• NSA, CISA release Kubernetes Hardening Guidance: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/
• HTTP/2 Implementation Errors Exposing Websites to Serious Risks: https://www.darkreading.com/application-security/http-2-implementation-errors-exposing-websites-to-serious-risks
• Ransomware Gangs and the Name Game Distraction: https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
• Using versioning in S3 buckets: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html

Transcript

Jesse: Welcome to Meanwhile in Security where I, your host Jesse Trucks, guides you to better security in the cloud.

Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of: canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.

Jesse: The general theme in security news and trends show us that perimeter defense has a whole new meaning. There is no large perimeter anymore. Nearly every device is on a public or otherwise hostile network, from servers to phones to laptops. Every device needs scanning, protecting, monitoring, and analyzing. None of these devices can be viewed in a vacuum, as separate entities without the context of behavior of systems and services accessed from across a network.

This is why zero trust and cloud native applications and services go so well in these hard times. If you can’t trust anything without checking on current events, then you have to authenticate and analyze in real-time to determine if something is safe to allow. In the ancient days of yore, everything was default allow and you stopped things you knew were bad. Then along came default deny, where you allowed only those things you white listed. But that was a full-time allowance of bad things to happen when an account was compromised.

Ditch the white list and just implement real-time contextual security. If you do this, does it really matter if someone gets a hostile device on your network? Nope. If you treat everything, including owned and managed assets, as hostile, some new unmanaged device or service doesn’t change your operations or exposure much if at all.

Meanwhile in the news. Cloud Security Basics CIOs and CTOs Should Know. Some of the critical things non-cybersecurity execs ought to know: moving to the cloud isn’t a security easy button, cybersecurity insurance generally sucks, and moving to the cloud takes a lot more work than people think to get operationally secure.

Spring 2021 PCI DSS report now available with nine services added in scope. When you do compliance and use cloud infrastructures and SaaS services, you need to prove your services support compliance requirements. This AWS report can help. Also, review the new services added to see if you can improve your service delivery and applicatio...